Cylance has discovered a ‘new’ vulnerability in Windows, a weakness that was never patched by Microsoft.
The bug, called “Redirect to SMB,” is a variant of a vulnerability found in Windows by Aaron Spangler 18 years ago: this cause the exposition of a user’s Windows username and password.
From Cylance website:
Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password.
and about the original vulnerability:
The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://22.214.171.124/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 126.96.36.199.
In his white paper, Cylance says that are 31 applications vulnerable to this flaw:
Widely Used Applications:
- Adobe Reader
- Apple QuickTime
- Apple Software Update (which handles the updating for iTunes)
- Internet Explorer
- Windows Media Player
- Excel 2010, and even in Microsoft Baseline Security Analyzer
- Symantec’s Norton Security Scan
- VG Free
- BitDefender Free
- Comodo Antivirus
- .NET Reflector
- Maltego CE
- Box Sync
- Github for Windows
- IntelliJ IDEA
- PHP Storm
- JDK 8u31’s installer
How do you protect yourself?
- Block outbound traffic from TCP 139 and TCP 445.
- Apply applicable and up-to-date software patches from vendors.
- Use strong passwords so that it requires a larger time for brute forcing of any hashing algorithms.